Pullup ticket #4101 - requested by tez

textproc/libxml2: security patch Revisions pulled up: - textproc/libxml2/Makefile 1.123 - textproc/libxml2/distinfo 1.98 - textproc/libxml2/patches/patch-CVE-2013-0338-CVE-2013-0339 1.1 --- Module Name: pkgsrc Committed By: tez Date: Fri Mar 8 23:59:31 UTC 2013 Modified Files: pkgsrc/textproc/libxml2: Makefile distinfo Added Files: pkgsrc/textproc/libxml2/ patches: patch-CVE-2013-0338-CVE-2013-0339 Log Message: Fix for CVE-2013-0338 & CVE-2013-0339 from https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab bump PKGREVISION
author: tron <tron> 2013-03-17 11:22:02 +0000
committer: tron <tron> 2013-03-17 11:22:02 +0000
commit: 5b128f7cfa42d1331a51f7461917addf7bee4c3e (patch)
tree: 33f68853ef3166d4ee20abf048617e03feb50a3a
parent: 65da8aaf99d6acb17411d0ecdafd2d677ed852cb (diff)
download: pkgsrc-5b128f7cfa42d1331a51f7461917addf7bee4c3e.tar.gz
3 files changed, 155 insertions, 3 deletions
diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
index 2fa24a11816..e5d3dfcfa9c 100644
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.122 2012/12/15 12:39:24 drochner Exp $
+# $NetBSD: Makefile,v 1.122.2.1 2013/03/17 11:22:02 tron Exp $
 
 DISTNAME=	libxml2-2.9.0
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	textproc
 MASTER_SITES=	ftp://xmlsoft.org/libxml2/ \
 		http://xmlsoft.org/sources/
diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo
index ae3b0736c9b..aad930c0cae 100644
--- a/textproc/libxml2/distinfo
+++ b/textproc/libxml2/distinfo
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.96 2012/12/15 12:39:24 drochner Exp $
+$NetBSD: distinfo,v 1.96.2.1 2013/03/17 11:22:03 tron Exp $
 
 SHA1 (libxml2-2.9.0.tar.gz) = a43d7c0a8e463ac5a7846254f2a732a9af146fab
 RMD160 (libxml2-2.9.0.tar.gz) = d025639320bb34adbc45a43f46354190f6bbb7b5
 Size (libxml2-2.9.0.tar.gz) = 5161069 bytes
 SHA1 (patch-CVE-2012-5134) = 22caaed2b03334d42253b2b1c5a43473e6c8b4dc
+SHA1 (patch-CVE-2013-0338-CVE-2013-0339) = d9eb3fe147dff5afd6920d818e5f982505e0663f
 SHA1 (patch-aa) = 6fcfb2e1ac374a7a047ee188a61ef218106ee54a
 SHA1 (patch-ab) = c399ed5bfd429c2bac1de6f500d2ef47ab06f2fd
 SHA1 (patch-ac) = 101cd554fd22e8e9817e21591240eb784b1219b5
diff --git a/textproc/libxml2/patches/patch-CVE-2013-0338-CVE-2013-0339 b/textproc/libxml2/patches/patch-CVE-2013-0338-CVE-2013-0339
new file mode 100644
index 00000000000..4476a749a4f
--- /dev/null
+++ b/textproc/libxml2/patches/patch-CVE-2013-0338-CVE-2013-0339
@@ -0,0 +1,151 @@
+$NetBSD: patch-CVE-2013-0338-CVE-2013-0339,v 1.1.2.2 2013/03/17 11:22:03 tron Exp $
+
+Fix for CVE-2013-0338 & CVE-2013-0339
+
+From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 19 Feb 2013 02:21:49 +0000
+Subject: Detect excessive entities expansion upon replacement
+
+If entities expansion in the XML parser is asked for,
+it is possble to craft relatively small input document leading
+to excessive on-the-fly content generation.
+This patch accounts for those replacement and stop parsing
+after a given threshold. it can be bypassed as usual with the
+HUGE parser option.
+
+
+--- include/libxml/parser.h
++++ include/libxml/parser.h
+@@ -310,6 +310,7 @@ struct _xmlParserCtxt {
+     xmlParserNodeInfo *nodeInfoTab;   /* array of nodeInfos */
+ 
+     int                input_id;      /* we need to label inputs */
++    unsigned long      sizeentcopy;   /* volume of entity copy */
+ };
+ 
+ /**
+
+
+--- parser.c
++++ parser.c
+@@ -122,7 +122,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+  */
+ static int
+ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+-                     xmlEntityPtr ent)
++                     xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
+ 
+@@ -130,7 +130,24 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+         return (0);
+     if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+         return (1);
+-    if (size != 0) {
++    if (replacement != 0) {
++	if (replacement < XML_MAX_TEXT_LENGTH)
++	    return(0);
++
++        /*
++	 * If the volume of entity copy reaches 10 times the
++	 * amount of parsed data and over the large text threshold
++	 * then that's very likely to be an abuse.
++	 */
++        if (ctxt->input != NULL) {
++	    consumed = ctxt->input->consumed +
++	               (ctxt->input->cur - ctxt->input->base);
++	}
++        consumed += ctxt->sizeentities;
++
++        if (replacement < XML_PARSER_NON_LINEAR * consumed)
++	    return(0);
++    } else if (size != 0) {
+         /*
+          * Do the check based on the replacement size of the entity
+          */
+@@ -176,7 +193,6 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+          */
+         return (0);
+     }
+-
+     xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+     return (1);
+ }
+@@ -2743,7 +2759,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		    while (*current != 0) { /* non input consuming loop */
+ 			buffer[nbchars++] = *current++;
+ 			if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+-			    if (xmlParserEntityCheck(ctxt, nbchars, ent))
++			    if (xmlParserEntityCheck(ctxt, nbchars, ent, 0))
+ 				goto int_error;
+ 			    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 			}
+@@ -2785,7 +2801,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		    while (*current != 0) { /* non input consuming loop */
+ 			buffer[nbchars++] = *current++;
+ 			if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+-			    if (xmlParserEntityCheck(ctxt, nbchars, ent))
++			    if (xmlParserEntityCheck(ctxt, nbchars, ent, 0))
+ 			        goto int_error;
+ 			    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 			}
+@@ -7203,7 +7219,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	    xmlFreeNodeList(list);
+ 	    return;
+ 	}
+-	if (xmlParserEntityCheck(ctxt, 0, ent)) {
++	if (xmlParserEntityCheck(ctxt, 0, ent, 0)) {
+ 	    xmlFreeNodeList(list);
+ 	    return;
+ 	}
+@@ -7361,6 +7377,13 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 		xmlNodePtr nw = NULL, cur, firstChild = NULL;
+ 
+ 		/*
++		 * We are copying here, make sure there is no abuse
++		 */
++		ctxt->sizeentcopy += ent->length;
++		if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
++		    return;
++
++		/*
+ 		 * when operating on a reader, the entities definitions
+ 		 * are always owning the entities subtree.
+ 		if (ctxt->parseMode == XML_PARSE_READER)
+@@ -7400,6 +7423,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	    } else if ((list == NULL) || (ctxt->inputNr > 0)) {
+ 		xmlNodePtr nw = NULL, cur, next, last,
+ 			   firstChild = NULL;
++
++		/*
++		 * We are copying here, make sure there is no abuse
++		 */
++		ctxt->sizeentcopy += ent->length;
++		if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
++		    return;
++
+ 		/*
+ 		 * Copy the entity child list and make it the new
+ 		 * entity child list. The goal is to make sure any
+@@ -14767,6 +14798,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt)
+     ctxt->catalogs = NULL;
+     ctxt->nbentities = 0;
+     ctxt->sizeentities = 0;
++    ctxt->sizeentcopy = 0;
+     xmlInitNodeInfoSeq(&ctxt->node_seq);
+ 
+     if (ctxt->attsDefault != NULL) {
+
+
+--- parserInternals.c
++++ parserInternals.c
+@@ -1719,6 +1719,8 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt)
+     ctxt->charset = XML_CHAR_ENCODING_UTF8;
+     ctxt->catalogs = NULL;
+     ctxt->nbentities = 0;
++    ctxt->sizeentities = 0;
++    ctxt->sizeentcopy = 0;
+     ctxt->input_id = 1;
+     xmlInitNodeInfoSeq(&ctxt->node_seq);
+     return(0);
author	tron <tron>	2013-03-17 11:22:02 +0000
committer	tron <tron>	2013-03-17 11:22:02 +0000
commit	5b128f7cfa42d1331a51f7461917addf7bee4c3e (patch)
tree	33f68853ef3166d4ee20abf048617e03feb50a3a
parent	65da8aaf99d6acb17411d0ecdafd2d677ed852cb (diff)
download	pkgsrc-5b128f7cfa42d1331a51f7461917addf7bee4c3e.tar.gz